Hey Athos, On 29/7/21 18:13, Athos Ribeiro wrote: > On Thu, Jul 29, 2021 at 11:57:30AM -0300, Emilia Torino wrote: >> Hey Sergio, >> >> On 29/7/21 11:45, Sergio Durigan Junior wrote: >>> On Tuesday, July 27 2021, security-team-toolbox-...@canonical.com wrote: >>> >>>> New CVEs affecting packages used to build upstream based rocks have >>>> been >>>> created in the Ubuntu CVE tracker: >>>> >>>> * https://github.com/prometheus/prometheus: >>>> * https://github.com/hashicorp/consul: CVE-2021-32574, CVE-2021-36213 >>>> * https://github.com/gogo/protobuf: >>>> >>>> Please review your rock to understand if it is affected by these CVEs. >>>> >>>> Thank you for your rock and for attending to this matter. >>>> >>>> References: >>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-32574 >>>> https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2021-36213 >>> >>> Hi Emi, >>> >>> I found the message above a bit confusing. There are three components >>> listed (prometheus/prometheus, hashicorp/consul and gogo/protobuf), but >>> only one (hashicorp/consul) has CVEs listed for it. Do the other two >>> components also have CVEs opened against them? >> >> You are correct, this msg is confusing. Only CVEs affecting consul have >> been created this time. > > Hi Emilia, > > Would it be possible for the Go related CVE alerts to be reported in a > package level instead of in a module level? > > e.g., CVE-2021-36213: github.com/hashicorp/consul/agent/xds, > github.com/hashicorp/consul/agent, ...
The current implementation only monitors 3 git trees which were/are present in upstream based rocks. You can find further details about it here: https://docs.google.com/document/d/1HL_9FeXCWKLSGW3cG8UeyexJqSw17LAM6a1r9IHomYI/edit#. The current consul git tree was obtained from https://pastebin.canonical.com/p/GMhwVwh8bK/ (it is also mentioned in the shared doc). > > This would make it easier to determine whether one of our ROCKs is > affected by the vulnerability and aid on taking decisions on > how to act on them. The sec team has an extensive history on triaging, monitoring, patching etc CVEs affecting Ubuntu packages, but not other "package" types. Actually we were already aware of the fact that this implementation is very basic, but as per spec we committed to only monitor a set of git trees, not everything in github, since we are still working on setting all processes and tools needed for such task. For sure we can work together on making this service most useful for your team. We can probably add this to the next cycle. > > Moreover, am I correct if I suppose the tooling generating this alerts > know which ROCKs are possibly affected by the CVE? If sou, would it be > possible to also include that information here? We have 2 different services implemented: - one is the USNs notification service, which notifies about security updates affecting ubuntu-based rocks. We get each rock from docker hub, and compare the packages in their dpkg.query files against the USN database. You might have seen the emails describing the specific rock and packages affected. The list of rocks we are monitoring is: redis, nginx, apache2, memcached, mysql and postgres. - the other service is the CVEs notification service, which should serve the purposes of notifying about upstream-based rocks: cortex and telegraf. Due to the reasons explained above, we did not commit to do the extensive vulnerabilities triage as we did for ubuntu based ones. So it is a best effort to notify about a CVE being created in our tracker, which could affect any of those. If it helps I can change the email subject from: "CVEs potentially affecting upstream based ROCKs" to "CVEs potentially affecting cortex and telegraf". That is a very simple change I can quickly add. To confirm if the 3 git trees were present in both upstream based rocks we were considering, I locally got them (docker pull ubuntu/cortex && docker image save etc, same for telegraf) and in both cases I see the upstream manifest empty. Is that correct? > > Finally, I did check that prometheus, telegraph, prometheus-alertmanager > and cortex should be the candidates to be afected here. So far, > prometheus and telegraph only use github.com/hashicorp/consul/api and > should not be afected.> >> >> Is there any reason why >>> they're being listed in the message? We also agree prometheus, prometheus-alertmanager and grafana were out of this initial services, as were based on snaps. Is that still correct? >> >> This is a bug in our service. Since these are the 3 upstream >> repositories we are monitoring, the template msg is incorrectly adding >> the 3 when in this case, it should only list consul. I will add this bug >> to our queue to fix it asap. >> >>> >>> Thanks! >> >> Thank you! >> >>> >> >> -- >> Mailing list: https://launchpad.net/~ubuntu-docker-images >> Post to : ubuntu-docker-images@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~ubuntu-docker-images >> More help : https://help.launchpad.net/ListHelp > -- Mailing list: https://launchpad.net/~ubuntu-docker-images Post to : ubuntu-docker-images@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-docker-images More help : https://help.launchpad.net/ListHelp
